refactor: update HTTPS listener to accept port parameter and enhance configuration (#146)

Author: eball

config/ingress/nginx.tmpl

@@ -212,10 +212,11 @@ http {
         {{- if eq $server.Port 0 -}}
         {{/* +++++ start domain server +++++ */}}
         server_name {{ buildServerName $server.Hostname }} {{ range $server.Aliases }}{{ . }} {{ end }};
-        {{ buildHTTPListener $all $server.Hostname }}
+        {{ buildHTTPListener $all $server.Hostname }};
 
         {{ if $server.EnableSSL }}
-        {{ buildHTTPSListener $all $server.Hostname }}
+        {{ buildHTTPSListener 443 $all $server.Hostname }};
+        {{ buildHTTPSListener 444 $all $server.Hostname }} proxy_protocol;
         ssl_certificate     {{ $all.SSLCertificatePath -}};
         ssl_certificate_key {{ $all.SSLCertificateKeyPath -}};
         ssl_protocols {{ $cfg.SSLProtocols }};
@@ -286,9 +287,9 @@ http {
         proxy_set_header Connection $conn;
 
         {{ if and $server.Hostname $server.EnableAuth }}
-        rewrite_by_lua_block {
-            lua_ingress.force_to_https()
-        }
+        # rewrite_by_lua_block {
+        #    lua_ingress.force_to_https()
+        # }
         access_by_lua_block {
             token_auth.validate()
         }
@@ -340,9 +341,11 @@ http {
         {{/* +++ start server_name, listen and ssl +++ */}}
         {{/* +++++ start domain server +++++ */}}
         server_name {{ buildServerName $server.Hostname }} {{ range $server.Aliases }}{{ . }} {{ end }} ;
+        {{ buildHTTPListener $all $server.Hostname }};
 
         {{ if $server.EnableSSL }}
-        {{ buildHTTPSListener $all $server.Hostname }}
+        {{ buildHTTPSListener 443 $all $server.Hostname }};
+        {{ buildHTTPSListener 444 $all $server.Hostname }} proxy_protocol;
         ssl_certificate     {{ $server.SslCertPath -}};
         ssl_certificate_key {{ $server.SslKeyPath -}};
         ssl_protocols {{ $cfg.SSLProtocols }};
@@ -407,9 +410,9 @@ http {
         proxy_set_header Connection $ws_connection;
 
         {{ if and $server.Hostname $server.EnableAuth }}
-        rewrite_by_lua_block {
-            lua_ingress.force_to_https()
-        }
+        # rewrite_by_lua_block {
+        #    lua_ingress.force_to_https()
+        # }
         access_by_lua_block {
             token_auth.validate()
         }
@@ -444,7 +447,7 @@ http {
     {{ if $all.SSLCertificatePath }}
     ## default https server
     server {
-        listen 443  ssl proxy_protocol default_server;
+        listen 444  ssl proxy_protocol default_server;
 
         ssl_certificate     {{ $all.SSLCertificatePath -}};
         ssl_certificate_key {{ $all.SSLCertificateKeyPath -}};

internal/ingress/controllers/template/template.go

@@ -377,7 +377,7 @@ func buildHTTPListener(t interface{}, s interface{}) string {
 	return strings.Join(out, "\n")
 }
 
-func buildHTTPSListener(t interface{}, s interface{}) string {
+func buildHTTPSListener(p interface{}, t interface{}, s interface{}) string {
 	var out []string
 
 	tc, ok := t.(config.TemplateConfig)
@@ -392,14 +392,20 @@ func buildHTTPSListener(t interface{}, s interface{}) string {
 		return ""
 	}
 
+	port, ok := p.(int)
+	if !ok {
+		klog.Errorf("expected a 'int' type but %T was returned", p)
+		return ""
+	}
+
 	co := commonListenOptions(tc, hostname)
 
 	addrV4 := []string{""}
 	if len(tc.Cfg.BindAddressIpv4) > 0 {
 		addrV4 = tc.Cfg.BindAddressIpv4
 	}
 
-	out = append(out, httpsListener(addrV4, co, tc)...)
+	out = append(out, httpsListener(addrV4, co, tc, port)...)
 
 	if !tc.IsIPV6Enabled {
 		return strings.Join(out, "\n")
@@ -410,18 +416,14 @@ func buildHTTPSListener(t interface{}, s interface{}) string {
 		addrV6 = tc.Cfg.BindAddressIpv6
 	}
 
-	out = append(out, httpsListener(addrV6, co, tc)...)
+	out = append(out, httpsListener(addrV6, co, tc, port)...)
 
 	return strings.Join(out, "\n")
 }
 
 func commonListenOptions(template config.TemplateConfig, hostname string) string {
 	var out []string
 
-	if template.Cfg.UseProxyProtocol {
-		out = append(out, "proxy_protocol")
-	}
-
 	if hostname != "_" {
 		return strings.Join(out, " ")
 	}
@@ -452,7 +454,6 @@ func httpListener(addresses []string, co string, tc config.TemplateConfig) []str
 		}
 
 		lo = append(lo, co)
-		lo = append(lo, ";")
 		return lo
 	}
 
@@ -469,28 +470,16 @@ func httpListener(addresses []string, co string, tc config.TemplateConfig) []str
 	return out
 }
 
-func httpsListener(addresses []string, co string, tc config.TemplateConfig) []string {
+func httpsListener(addresses []string, co string, tc config.TemplateConfig, port int) []string {
 	out := make([]string, 0)
 
 	fn := func(address string) []string {
 		lo := []string{"listen"}
 
-		if tc.IsSSLPassthroughEnabled {
-			if address == "" {
-				lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.SSLProxy))
-			} else {
-				lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy))
-			}
-
-			if !strings.Contains(co, "proxy_protocol") {
-				lo = append(lo, "proxy_protocol")
-			}
+		if address == "" {
+			lo = append(lo, fmt.Sprintf("%v", port))
 		} else {
-			if address == "" {
-				lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTPS))
-			} else {
-				lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTPS))
-			}
+			lo = append(lo, fmt.Sprintf("%v:%v", address, port))
 		}
 
 		lo = append(lo, co)
@@ -500,7 +489,6 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st
 			lo = append(lo, "http2")
 		}
 
-		lo = append(lo, ";")
 		return lo
 	}